Password Reuse Likely Cause of Dailymotion Attack
Complying with General Data Privacy Regulations (GDPR), video-sharing platform Dailymotion disclosed to France's Commission Nationale de l'Informatique et des Libertés (CNIL) on Friday that it suffered a credential-stuffing attack.
“The attack consists in 'guessing' the passwords of some dailymotion accounts by automatically trying a large number of combinations, or by using passwords that have been previously stolen from web sites unrelated to dailymotion,” the disclosure said.
According to the disclosure, the attack was detected by the company's technical team and as of the January 25 announcement was still ongoing. Infosecurity contacted Dailymotion, and a company spokesperson said, “We consider that the attack has now stopped. We are not making further comment or discussing specific details, for obvious reasons.”
Given the rise of information-stealing malware, passwords and personally identifiable information are almost guaranteed to be exposed in increasingly sophisticated and frequent data breaches, according to Scott Clements, CEO, OneSpan.
“It’s more important than ever to secure and protect the entire digital customer journey, and the data captured within, by taking a layered approach to security. This helps capture and analyze multiple complementary authentication factors and correlational data to establish trusted identities, devices and transactions. This is how we help our global banking customers – by making it harder for cyber-criminals to capture data and commit fraud.”
Still, many consumers have yet to start using multi-factor authentication (MFA) to log into websites. Instead, they are more often than not reusing a few static passwords across multiple websites, said Michael Magrath, director, global regulations and standards, OneSpan.
“Given the vast number of password-related breaches over the past few years, the convenient yet insecure reuse of static passwords exposes individuals to the credential-stuffing attack used in this case. Consumers should always use MFA, where available, to add an additional layer of security to protect their privacy.”
Source: Information Security Magazine